Last year was the worst to date for viruses and software exploits, according to security experts. While attacks haven't increased significantly (still between 500-800 per month) in the past three years, malware such as Slammer, Blaster and Sobig-F caused widespread disruption.
"In 2001, we had a busy year with worms like CodeRed," said Mikko Hypponen, director of antivirus research at Helsinki, Finland-based F-Secure. "We had a relatively quiet year in 2002 and then 2003 was the worst year yet for viruses and worms."
Security experts with Trend Micro, ISS and the Anti-Virus Information Exchange Network (AVIEN) agree that 2003 was a bumper year. "We had more trouble last year than in previous years," said Joe Hartmann, director of antivirus research for Trend Micro. "For example, in the first 24 hours of the Sobig attack we blocked over two million infected e-mails."
Several new trends also emerged last year. There was closer cooperation between the spamming community and virus writers. For example, the Mimail worm attacked the Web servers of antispam groups such as Spamhaus. "We got the first concrete evidence that spammers were working with virus groups," said Hypponen. "The proxy servers used by Sobig-F were used by illegal spammers." F-Secure thinks that the group responsible for Sobig-F may have been selling information to several spam operators.
Furthermore virus writers have become more proficient at exploiting software weaknesses as in the cases of Blaster and Slammer, which spread so fast that the AV vendors didn't have time to respond. Typically, it takes the AV vendors four hours to obtain the code, analyze it and write an update. However, Slammer scanned the entire Internet for weaknesses in just 15 minutes, according to F-Secure.
Network security vendors have responded by developing intrusion-prevention systems that are designed to detect code behavior, as well as intrusion-detection systems that seek out particular code. According to Dan Ingevaldson, research director at ISS, there's a growing need to be able to detect software exploits that aren't necessarily viruses.
However, while the methods of the malicious hackers have become more sophisticated, the software still remains relatively primitive.
"Slammer and Blaster aren't particularly clever pieces of code," said Andrew Lee, AVIEN administrator. "The exploits were already well known. They just took advantage of them."
Fortunately, the viruses and security exploits so far have been relatively harmless. Few, for example, have deleted code.
"So if 2003 is the worst year yet then bring it on," said Rob Rosenberger, editor of Vmyths.com. "For the amount we hear about cyberterrorism, to the best of my knowledge nobody has ended up on the morgue table yet."